Hello!
I am also facing issues due to CSRF token v...
# ory-selfhostingc
cold-nest-53329
05/02/2024, 8:28 PMHello!
I am also facing issues due to CSRF token validation while using Go client libraries github.com/ory/hydra-client-go v1.11.8 github.com/ory/kratos-client-go v1.1.0 and i pass the cookie from browser in a backend call to get login request.
Based on Kratos logs it seems that kratos sends a redirect from /self-service/login/flows to /admin/self-service/login/flows thus the CSRF cookie might be gone after the redirect, hence 403.
Is the redirect expected? I have specified KRATOS_ADMIN_API_URL: "http://kratos:4434" in my Login app and SERVE_ADMIN_BASE_URL=http://kratos:4434/ in Kratos.
Code sample:
Copy code
cookie := string(ctx.Request().Header.Peek("Cookie"))
r.Log().Info("Getting flow", zap.String("flow", *flowId), zap.String("cookie", cookie))
loginFlow, _, err := r.kratosC.FrontendAPI.GetLoginFlow(<http://ctx.App|ctx.App>().BackgroundContext()).Id(*flowId).Cookie(cookie).Execute() Copy code
time=2024-05-02T20:16:45Z level=info msg=started handling request func=<http://github.com/ory/x/reqlog.(*Middleware).ServeHTTP|github.com/ory/x/reqlog.(*Middleware).ServeHTTP> file=/go/pkg/mod/github.com/ory/x@v0.0.623/reqlog/middleware.go:134 http_request=map[headers:map[accept:application/json accept-encoding:gzip cookie:[ory_hydra_login_csrf_2313898012=MTcxNDY4MTAwNXxiY2czVVJRS3VKUjVsZ181bVhrZVhzSWppZm1Ra28xN081NFVDY1cxNUJERFNXWTJic1phSnFOdnJYS1hmQnJ6c0ptbndGY2oybkhwbkxKbnloUTdHUS1IbVB3UDVmUTRDMGxlYjZHWERnMTQ3NXpXTmdWU2FuRFd3YTN6fH799ic2bpDxblVD3mz8RLffOUKimqYzGpFeiQTUD7Fv; csrf_token_fec1a049ce0ed19a0b238f769419006b2d79c27b8c238b907b92193c5f76042b=HCBvI21RNImWntcLej5RAMJ2jMf4k2O8CyJb5+tJJoc=] user-agent:OpenAPI-Generator/1.0.0/go] host:kratos:4434 method:GET path:/self-service/login/flows query:id=befa2265-bb30-4b0b-a4f1-b4eed9172069 remote:x.x.1.6:60244 scheme:http]
time=2024-05-02T20:16:45Z level=info msg=completed handling request func=<http://github.com/ory/x/reqlog.(*Middleware).ServeHTTP|github.com/ory/x/reqlog.(*Middleware).ServeHTTP> file=/go/pkg/mod/github.com/ory/x@v0.0.623/reqlog/middleware.go:146 http_request=map[headers:map[accept:application/json accept-encoding:gzip cookie:[ory_hydra_login_csrf_2313898012=MTcxNDY4MTAwNXxiY2czVVJRS3VKUjVsZ181bVhrZVhzSWppZm1Ra28xN081NFVDY1cxNUJERFNXWTJic1phSnFOdnJYS1hmQnJ6c0ptbndGY2oybkhwbkxKbnloUTdHUS1IbVB3UDVmUTRDMGxlYjZHWERnMTQ3NXpXTmdWU2FuRFd3YTN6fH799ic2bpDxblVD3mz8RLffOUKimqYzGpFeiQTUD7Fv; csrf_token_fec1a049ce0ed19a0b238f769419006b2d79c27b8c238b907b92193c5f76042b=HCBvI21RNImWntcLej5RAMJ2jMf4k2O8CyJb5+tJJoc=] user-agent:OpenAPI-Generator/1.0.0/go] host:kratos:4434 method:GET path:/admin/self-service/login/flows query:id=befa2265-bb30-4b0b-a4f1-b4eed9172069 remote:x.x.1.6:60244 scheme:http] http_response=map[headers:map[content-type:text/html; charset=utf-8 location:/admin/self-service/login/flows?id=befa2265-bb30-4b0b-a4f1-b4eed9172069] size:107 status:307 text_status:Temporary Redirect took:172.332µs]cold-nest-53329
05/02/2024, 9:27 PMAs a workaround, used plain Go http client and invoked endpoint directly. No redirects and flow retrieved successfully.
Frustrating, I`d wish to use client libraries 😕
Copy code
req, _ := http.NewRequest("GET", r.Config().Kratos.PublicURL+"/self-service/login/flows?id="+*flowId, nil)
req.Header.Set("Cookie", cookie)m
magnificent-energy-493
05/07/2024, 1:21 PM
Hmm hard to say what the issue is without going to reproduce it myself 🤔
Here are some common troubleshooting tips with CSRF: https://www.ory.sh/docs/troubleshooting/csrf
5 Views